In my last article I tried to quickly define “digital identity” and point out important aspects to consider when implementing a national digital identity. I also looked to highlight just a few of the benefits that can be drawn from such a platform. One short
article couldn’t possibly do this topic justice, so with this piece, I wanted to dig a bit deeper and cover
When we talk about something “digital”, the word “connected” is rarely far behind, and if it’s connected, one more word that really should follow is “security”. When it comes to our identity, this is particularly important. Of course, the technologies must
be secure, but so must the processes.
One process we must call out is onboarding or enrolment. A digital identity is only as good as the assurance it can bring, and if we can’t trust the
original identity, we will have little faith in the digital identity. We could use the most secure authentication technology available, but all it would do is authenticate a fraudulent identity, and this defeats the purpose. So, we must
dedicate appropriate consideration to this early stage and ensure that the right person is behind their digital identity.
There are a few different ways to on board someone and connect them with their digital ID. If we look at the simple identities we create for online services, the method of enrolment often involves sending an email with a confirmation link to click. This
confirms the user owns that email account and this is sufficient for the majority of services. But when we look to services
requiring a higher level of assurance, such as banking or government, a single email won’t fill us with confidence.
The simplest, and often, the most effective method is over-the-counter enrolment. The citizen must present themselves in person to someone working for the government or the bank. It could be at a government office, a police station, a bank branch,
or somewhere equally trusted, but the person is physically there and can then show a government approved identity document like a passport, ID card, or driver’s license. This is often how we interact with these kinds of services in our offline worlds, so we
can be confident that this is also suitable for on boarding.
But there are other methods of enrolment that can be more efficient and involve less travel and queueing. There are many companies now offering
remote enrolment solutions that involve facial recognition and ID document scanning. The mobile app compares the user’s face to the photo in the ID document, and draws out the other relevant information from the document itself. It’s very simple for
the user and all they need is their smart phone. Some online banks are already accepting this, though it’s early days, and when it comes to governments, they’re likely to need more convincing.
One final method to mention involves linking multiple accounts to an individual by sharing codes with each account. For example, “123” via text, “456” via email, and “789” via a reference number of a small bank transaction. The user would then have
to produce all three codes, showing they have access to all accounts. Access to one of these accounts is unlikely to inspire trust, but control over all three (or more) can give enough confidence that the person really is who they say they are.
Different solutions can work for different services, but it’s vital that the
process and technology match the assurance required for that identity. And what must be equally secure and trusted is the method of
re-enrolment. If the user forgets their PIN codes, or loses their smart card, or buys a new phone, how they get new private keys must be on par with the original enrolment. Identity thieves will look for the easiest way in, and if the back-up option
is easier, this is the route they’ll take.
One option for re-enrolment can simply be to use the same method as on boarding, but there are other ways and they don’t necessarily have to be complicated, or even high-tech. One method is providing a PUK (PIN Unlocking Key) code upon enrolment that only
exists for as long as it takes someone to write it down. They then store it somewhere safe, and in the event they need to re-enrol, they use this code. Another option may be to assign a “friend” who can generate and share a PUK code, with this “friend” being
trusted by the service or government. Again, these are just examples, but the important thing is this method is no easier to bypass than original enrolment.
After enrolment, the focus turns to the method of authentication, which must uphold the trust and assurance provided by the on boarding process. A national digital identity plays a big part in e-government and must be trusted by all parties to work.
There can be no weak link.
External | what does this mean?